Biz & IT —

Sneaky hackers use Intel management tools to bypass Windows firewall

Serial ports don’t have firewalls.

Enlarge/ Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs. But their virtual counterparts are alive and well, and they can be used for some exciting things.

Share this story

When you're a bad guy breaking into a network, the first problem you need to solve is, of course, getting into the remote system and running your malware on it. But once you're there, the next challenge is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring.

The group, which Microsoft has named PLATINUM, has developed a system for sending files—such as new payloads to run and new versions of their malware—to compromised machines. PLATINUM's technique leverages Intel's Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface.

The AMT needs this low-level access for some of the legitimate things it's used for. It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what's on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system.

But this low-level operation is what makes AMT attractive for hackers: the network traffic that AMT uses is handled entirely within AMT itself. That traffic never gets passed up to the operating system's own IP stack and, as such, is invisible to the operating system's own firewall or other network monitoring software. The PLATINUM software uses another piece of virtual hardware—an AMT-provided virtual serial port—to provide a link between the network itself and the malware application running on the infected PC.

Communication between machines uses serial-over-LAN traffic, which is handled by AMT in firmware. The malware connects to the virtual AMT serial port to send and receive data. Meanwhile, the operating system and its firewall are none the wiser. In this way, PLATINUM's malware can move files between machines on the network while being largely undetectable to those machines.

AMT has been under scrutiny recently after the discovery of a long-standing remote authentication flaw that enabled attackers to use AMT features without needing to know the AMT password. This in turn could be used to enable features such as the remote KVM to control systems and run code on them.

However, that's not what PLATINUM is doing: the group's malware requires AMT to be enabled and serial-over-LAN turned on before it can work. This isn't exploiting any flaw in AMT; the malware just uses the AMT as it's designed in order to do something undesirable.

Both the PLATINUM malware and the AMT security flaw require AMT to be enabled in the first place; if it's not turned on at all, there's no remote access. Microsoft's write-up of the malware expressed uncertainty about this part; it's possible that the PLATINUM malware itself enabled AMT—if the malware has Administrator privileges, it can enable many AMT features from within Windows—or that AMT was already enabled and the malware managed to steal the credentials.

While this novel use of AMT is useful for transferring files while evading firewalls, it's not undetectable. Using the AMT serial port, for example, is detectable. Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity.

86 Reader Comments

Intel AMT is a fucking disaster from a security standpoint. It is utterly dependent on security through obscurity with its "secret" coding, and anybody should know that security through obscurity is no security at all.

"Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity."

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

As an aside, it's likely that every single product you own that has more then three parts had a machine with a serial connection involved in it's manufacture. Serial is alive and massively well in industrial and embedded contexts. You can actually buy modern embedded motherboards with many (4+) hardware serial ports quite easily.

This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved to be a massive PITA from the security perspective. Intel needs to really reconsider its approach or drop it altogether.

"it's possible that the PLATINUM malware itself enabled AMT—if the malware has Administrator privileges, it can enable many AMT features from within Windows"

I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled via UEFI instead?

Using SOL and AMT to bypass the OS sounds like it would work over SOL and IPMI as well.

I only have one server that supports AMT, I just double-checked that the webui for AMT does not allow you to enable/disable SOL. It does not, at least on my version. But my IPMI servers do allow someone to enable SOL from the web interface.

But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall?

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter?

I'm not the person you're asking, but yes, this is what I do whenever I have to talk to a piece of networking equipment for initial configuration or whatever. It's also why I don't care that I no long have physical serial ports, although it is annoying having to remember when COM port is which physical USB port.

Intel AMT is a fucking disaster from a security standpoint. It is utterly dependent on security through obscurity with its "secret" coding, and anybody should know that security through obscurity is no security at all.

... on Windows, as MSFT doesn't keep the links separate. Refer to our last Ars fire storm regarding this same topic.

Businesses demanded this technology and, of course, Intel beats the drum for it as well. While I understand their *original* concerns I would never, ever connect it to the outside LAN. A real admin, in jeans and a tee, is a much better solution.

Hopefully, either Intel will start looking into improving this and/or MSFT will make enough noise that businesses might learn to do their update, provisioning in a more secure manner.

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

As an aside, it's likely that every single product you own that has more then three parts had a machine with a serial connection involved in it's manufacture. Serial is alive and massively well in industrial and embedded contexts. You can actually buy modern embedded motherboards with many (4+) hardware serial ports quite easily.

Indeed, many industrial scanners and cameras still use serial. (Many are USB as well.) I'm talking the scanners that would be in use at grocery stores, in pharmaceutical applications, and the like. The cameras that I used (both USB and serial) were also in the pharma industry. They are used by robots (also often serial) to make sure they are picking up the right pill to put into a bottle during automation. Hell, even talking to a PLC can involve serial communications, which accounts for nearly all automation that involves moving hardware/robotics.

But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall?

The interconnect is via W*. We ran this dog into the ground last month. Other OSs (all as far as I know (okay, !MSDOS)) keep them separate. Lan0 and lan1 as it were. However it is possible to access the supposedly closed off Lan0/AMT via W*. Which is probably why this was caught in the first place.

Note that MSFT has stepped up to the plate here. This is much better than their traditional silence until forced solution. Which is just the same security through plugging your fingers in your ears that Intel is supporting.

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

As an aside, it's likely that every single product you own that has more then three parts had a machine with a serial connection involved in it's manufacture. Serial is alive and massively well in industrial and embedded contexts. You can actually buy modern embedded motherboards with many (4+) hardware serial ports quite easily.

Serial ports are still alive and well in the casino industry, too! Pretty much every slot machine I work on has anywhere from four to eight or more serial ports, usually driven by non-consumer UART chips because they have to support multidrop/wakeup parity (mark for address byte, space for data byte) for certain communication protocols. Banknote acceptors, thermal printers, LED controllers, reel controllers, button panels, touchscreens, progressive link systems, accounting systems, software authentication systems... They're slowly being replaced by USB, but many slot machine manufacturers and casinos aren't particularly interested in supporting the newer, more complicated protocols that come with the new peripherals.

Up until last November, our entire slot accounting network ran on 19200 baud RS-485. (Now the slot machines still talk to the interface board with the same 19200 baud serial as before, but the interface boards are embedded PCs on the company intranet.)

But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall?

The catch would be any machine that leaves your network with AMT enabled. Say perhaps an AMT managed laptop plugged into a hotel wired network. While still a smaller attack surface, any cabled network an AMT computer is plugged into, and not managed by you, would be a source of concern.

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter?

The problem is that "traditional serial communication" is not something that is unambiguously defined these days.

The usual cheap USB converter is powered with 5V or 3V (marked as "TTL Serial" levels) but the original RS232 can use until +/-15 V (difference of 30 V, but usually was +/-12V), so for some devices (older industrial or military-grade stuff) it might not work or worse.

Even if they claim to use RS232 serial you will need aditional elements to be fully compatible (e.g. https://en.wikipedia.org/wiki/MAX232), most of the embedded devices "serial ports" are 3V and 5V (or even less). To cut corners, this might or might not be in some USB adapters.

In that case, even the DP9 connector is superflous: to communicate with (e.g.) a Raspberry Pi or Arduino you can buy something like this (https://www.sparkfun.com/products/12977 ; always mind the voltage levels!) or even cheaper on ebay.

This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved to be a massive PITA from the security perspective. Intel needs to really reconsider its approach or drop it altogether.

"it's possible that the PLATINUM malware itself enabled AMT—if the malware has Administrator privileges, it can enable many AMT features from within Windows"

I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled via UEFI instead?

I'm not even sure it's THAT convenient for sys admins. I'm one of a couple hundred sys admins at a large organization and none that I've talked with actually use Intel's AMT feature. We have an enterprise KVM (raritan) that we use to access servers pre OS boot up and if we have a desktop that we can't remote into after sending a WoL packet then it's time to just hunt down the desktop physically. If you're just pushing out a new image to a desktop you can do that remotely via SCCM with no local KVM access necessary. I'm sure there's some sys admins that make use of AMT but I wouldn't be surprised if the numbers were quite small.

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter?

There are lots of options. You can still purchase cards to be installed (in non-laptops), you can use serial to USB convertors (which can be problematic because you can't depend upon them always enumerating in the same order) or you can use serial to network adapters. These can support 250 or more serial ports on a single network connection.

Something that bares mentioning too, regarding the discussion around serial ports being used in the industrial context:

Most of the kind of equipment being referred to is big, incredibly expensive, often mission-critical, not easily replaced and designed with a (usually long) service life in mind. It may outlive many of the control or monitoring machines (if we are talking about desktop computers) attached to it.

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Not that fortunately.. Serial ports are still very useful for management tasks. It's simple and it works when everything else fails. The low speeds impose little restrictions on cables.

Sure, they don't have much security but that is partly mitigated by them usually only using a few metres cable length. So they'd be covered under the same physical security as the server itself. Making this into a LAN protocol without any additional security, that's where the problem was introduced. Wherever long-distance lines were involved (modems) the security was added at the application level.

USB-to-Serial dongles are an option but not a perfect one. As someone has pointed out, many don't implement all the right signals. Also, the timing can be off (partly because USB 1.1/2.0 only uses host-to-device polling). Some older equipment can be quite fussy about that.

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter?

We just got some new Dell workstations at work recently. They have serial ports. We avoid the consumer machines.

I recently bought a new motherboard and CPU for my home computer. The main board have a rs232 and a lpt connection header which surprised me. So you can find modern (consumer) PCs which supports serial and parallel port

Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

As an aside, it's likely that every single product you own that has more then three parts had a machine with a serial connection involved in it's manufacture. Serial is alive and massively well in industrial and embedded contexts. You can actually buy modern embedded motherboards with many (4+) hardware serial ports quite easily.

I would rather have TTL serial-ports than RS-232. I've never had any use for RS-232, so in that regards and on a personal level, I agree with the autor, but I do use TTL-level serial-ports all the time and those are completely missing from PCs.